Hi, first i wanna say thanks to all here fort he great helping setting up my radius as an part of my work at my Engineers-Exam work.
Yesterday I finished my work and found my 2 Mistakes why computer authentication didnt wor properly at my network and now I wanna share this for you all here,knowing some of you are having still the same problems: First only the problem with machine authentication and after I passed my exams at 15.Juli I will post here an link to my whole Dokumentation describing how to set up my whole project including the following: An CA created with TinnyCA as frontend for openssl, freeradius @debian stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules, VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing firstly an Machine Authentication(*tricky but possible*) pulled into and basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and VLAN, then Users can log onto the domain, getting their final User-Certifikate, thrown into their final working vlan and getting the final Subnet from the DHCP. This workes now great put firstly only the main problem, the machine certificates. What you hav e to do if you create it with TinyCA to get working Certifikates for machine Authentication in a short sequenze and where are the problems I figured out. OK setting up TinyCA is easy and the binding to freeradius is describeld here a lot. The final Steps are the following especially for Windows: Under Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 at the ServerCertifikate into ExtendedKey usage, and the 1.3.6.1.5.5.7.3.2 into Client Certifikate Extended Key Usage. This is basically and essential for successful authentication but not all. For machine authentication create an client Certifikate and now the real important things. 1. The CN Name has to match with the local Computer name only or as an full qualified name of the computer,both is possible. 2. The Email field MUST!!!! Be filled in the full qualified Computer name like workstatio1.exampledomain.de This entry is important for machine authentication because Windows XP searches for the field subjectAltName to find the certificate in the computer store. If this issent present authentication failes first time and after the internal counter of xp expire the second autjentication is successful(why??) But ok, add this and all is fine. In the openssl.cnf of TinnyCA you can see that the Email field is copied to the field subjectAltName. I will write a letter to the developer of TinnyCA if he could make a separate field for this.... Export the certificate as PKS12 an check include certificate and fingerprint (if fingerprint is important I will figure out later and tell you,havent found time checking this) but the Key must be included. And the last thing is that you have to import the computercertifikate not per doubleclick (In this case the certificated is stored at the CurrentUser Store and you have to copy it over mmc to the computer store, but this doesnt work, the certificate isnt correctly found if you do this that way!!!!!) Best ist to open mmc,doing a snap in of LocalComputer and the go to "Eigene Certifikate, right click onto it,All Tasks,import" then import the certificate and now you have the ca.certifikate and your computer certificate in the Store, now you have finaly to move the ca Certifikate into the root CertifikateStore under your ComputerAccountStore. Thats all at the mmc. Then go to the preferences of your network connection, Authentifikation tab, EAP-Tpye Propperties and at the list you have to check "Check Servercertifikate" uncheck Connect to this Server(this is optional) and at the list check your CA. If you also have a User Certifikate installed you will find there your CA 2 times. It is not important which you select, one should be enough. Finaly I can say what was here discussed you dont have to set another OID which is discussed here at one thread and you only have to change your registry if you have special requiremens to the authentication behaviors. The Basic setting of registry seams to be enough. I added the SupplicantMode DWORD with a value of 3 but this only seams to get start authentication faster than without but is not essential for basic setup. OK this is only an small dirty description for the first time, a better one will follow soon. But I thought many of you struggling over this and it would be good posting this fast. Sorry for typing mistakes, may someone will correct this :-) @Alan: Is their an interest posting my doku to the wiki, I can send the final document to you! Greetings and good luck Armin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html